MPO Magna App Privacy Policy

Version September 9, 2024

  1. DEFINITIONS.
  2. Why do we process your data?
  3. What data is collected and processed?
  4. Is your data disclosed or shared with third parties?
  5. Do we transfer your data outside the European Union?
  6. How long is your data kept?
  7. How do we protect your privacy?
  8. What are your rights and how to exercise them?
  9. Do we use cookies?
  10. What is the applicable law and the competent jurisdictions?
  11. Be mindful to the update of this Policy

This Policy is established by MicroPort Orthopedics Inc.:
5677 Airline Road
Arlington TN 38002
mpomagna@ortho.microport.com

Hereinafter, "MPO" or "we", “us”,” our”.

We are particularly vigilant to the protection of personal data (hereinafter referred to as data) and to the respect of the privacy of all persons who come into contact with us. We act transparently, in accordance with national and international provisions in this area, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016 on the protection of individuals with regard to data processing for personal use and for the free movement of this data, and which repeals Directive 95/46 / EC (hereinafter referred to as the "General Data Protection Regulation" or "GDPR / GDPR").

This Policy describes the measures undertaken for the treatment and processing of your personal data, and your rights as a data subject.

MPO as processor of sensitive data such as health data, processes on behalf of hospitals, clinics, health care providers or moveUP. You should therefore contact them for information on the processing of your personal data.

If your personal data are processed by moveUP, please find the moveUP privacy policy here.

You can react to any of the treatment described below by contacting us.
We inform you that your data will be used in compliance with this data protection declaration.

 

1.DEFINITIONS

In this statement, the following words and expressions shall be understood as follows:
Statement: This privacy statement.

General terms and conditions of use: The general terms and conditions and the condition of use of MPO Magna which administer the use of MPO Magna.

Personal data: Any information processed relating to an identified or identifiable physical person in accordance with this declaration is described in the article "The data processed".

Data relating to health: Data of a personal nature relating to the physical or mental health of a physical person, which reveal information about the health condition of that person.

Our professional healthcare partners: The healthcare professionals who are connected to the patient via MPO Magna.

Our services: All the services we provide on MPO Magna in the context of our professional activity or in execution of our statutory purpose, as described in our general terms and conditions of use, more specifically: a personalized monitoring and rehabilitation program with a choice of exercises adapted to your situation by means of videos, a personalized follow-up, figures and graphs of your progress as well as, where applicable, connecting with our professional healthcare partners, etc.

Person responsible for processing: The legal entity that determines the effectiveness and means of processing personal data in accordance with this declaration, namely us.

Processing: Any operation or set of operations, whether or not carried out with the aid of automated processes and applied to data of a personal nature, such as collection, recording, organization, storage, adaptation or alteration, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, association or linkage, as well as the locking, erasure or destruction of data of a personal nature; in this declaration, the terms "processing", "processing", "processed", etc. refer to the present definition.

Anonymized data: Removing readily identifiable elements such as name and e-mail address and using masking data.

DPO: The data privacy officer (DPO) is the person who monitor’s MPO Magna compliance with the General Data Protection Regulation (GDPR) in relation to the protection of personal data.

 

2.Why do we process your data?

We collect and process your personal data for different reasons based on a legal ground determined by the GDPR (for example, compliance with a legal obligation to which we are subject or the performance of a contract concluded with you). The table below sets out the purposes and the legal grounds for the use of your personal data.

Processing: Management of our medical care customers.

Purposes: We process your personal data in order to carry out operations relating to the contracts; invoices; accounting; provision of documents;

We could process your personal data to contact you or a member of your team and answer your questions;

Legal grounds for processing: In accordance with article 6.1.b) of the GDPR, this processing is necessary for contractual or statutory measures.

Some processing is necessary to achieve our legal obligations in accordance with article 6.1.c) of the GDPR.

Processing: Management of the application and the identification and authentication of doctors and other care providers; or patients/customers.

Purposes: We process your personal data to give you access to our application. We could also process your data to contact you and answer your questions; ensure the technical administration and security of MPO Magna;  

Legal grounds for processing: In accordance with article 6.1.b) of the GDPR, this processing is necessary for contractual or statutory measures. We may process your data, in accordance with the provisions of Article 6§2, f), on the basis of our legitimate interest, as soon as we have balanced this interest with your interests or fundamental rights and freedoms by examining your "reasonable expectations".

Processing: Management of our patients/customers.

Purposes: We process your personal data in order to carry out operations relating to the contracts; invoices; accounting; provision of documents; We could process your personal data to contact you and answer your questions;

Legal grounds for processing: In accordance with article 6.1.b) of the GDPR, this processing is necessary for contractual or statutory measures. This processing is necessary to achieve our legal obligations in accordance with article 6.1.c) of the GDPR.

Processing: Research, statistics, and improving our application software and other medical devices.

We process personal data in order to provide data-driven improvements to our services and product offerings. We process personal data to conduct scientific, historical and statistical research and development;

To this end, some of your personal data may become data points for use in statistical analysis. When using statistical analysis, we anonymize your data, and remove readily identifiable elements such as name and e-mail address and  mask the data (e.g., use a case ID number) for market research or other professional purposes.

Anonymized data do not fall within the GDPR’s scope. In accordance with article 6.1.a) of the GDPR, we may process your data on the basis of your consent.

You can withdraw your consent anytime by contacting us (mpomagna@ortho.microport.com).

Processing: Management of our communication.

Purposes: We process personal data in order to provide you with information relating to our activities and services.

We may use your data to respond to our legitimate interest or to that of third parties, when this is necessary without affecting your interests or your fundamental freedoms and rights to offer and promote all services and / or share with your informative messages that corresponds to what you can reasonably expect from us in the context of our existing relationship or possible future relationship.

Legal grounds for processing: We may process your data, in accordance with the provisions of Article 6§2, f), on the basis of our legitimate interest, as soon as we have balanced this interest with your interests or fundamental rights and freedoms by examining your "reasonable expectations".

You can object to the processing by contacting us.

Processing: Management of our pre-contractual relationships.

Purposes: We process your personal data in order to respond to requests that you address to us (in particular via the contact form on our site).

We can also process your personal data in order to contact you to initiate a possible future collaboration.

Legal grounds for processing: In accordance with article 6.1.b) of the GDPR, this processing is necessary in order to take steps prior to entering into a contract.

Processing: Management of our suppliers.

Purposes: We process personal data to fulfill our contractual obligations to you or to your company or our legal obligation, for instance accountable legal obligations.

Legal grounds for processing: In accordance with article 6.1.b) of the GDPR, we process your data for the performance of our contracts concluded with you or your company. This processing could also be necessary to achieve our legal obligations in accordance with article 6.1.c) of the GDPR.

Processing: Management of our litigation.

Purposes: We may use your personal data to respond to our legitimate interest or to that of third parties, when this is necessary without affecting your interests or your fundamental freedoms and rights to manage a litigation in the context of our existing relationship or possible future relationship.

Legal grounds for processing: We also have a legitimate interest in processing personal data for the defense of our interests, in particular but not exclusively in the context of a dispute or legal action on the basis of Article 6.1.f) of the GDPR. We may also be required to process sensitive data in this context, in accordance with the provisions of article 9.2, f) of the GPDR.

Unless they are within a legal exception, you can object to the processing based on this basis, or on your consent at any time, by contacting us.

 

3.What data is collected and processed?

We only collect personal data that is adequate, relevant and limited to what is strictly necessary with regard to the purposes for which it is processed. Depending on the purposes, data collection is carried out differently. We detail below the personal data that we collect about you, as well as the methods of collection.

Processing: Management of our medical care customers.

The data collected and processed:

  • Personal identifying data: first and last name; personal address; phone number.
  • Electronic identification data: email address.
  • Professional data: job title; workplace; Your Riziv/INAMI number; VAT.

Collection method:

  • Directly through you. You have made them publicly available, on public media and social networks, mainly LinkedIn.
  • Via your healthcare provider, colleague, healthcare institution, insurance company, hospital, clinic or surgical center that is in contact with us.

Processing: Management of our customers.

The data collected and processed:

  • Personal identifying data: first and last name; personal address; phone number; national register number.
  • Electronic identification data: email address, IP address; encrypted password and username, or the PIN code.
  • Personal feature: date of birth; place of birth; gender; nationality.
  • Family data: marital and familiar status; (Family composition).
  • Photos and videos according to your rehabilitation.
  • Your identity card may be requested for the verification of your data - directly through you (if you request information about a possible inclusion, when registering to start, from the first use of our platform, at your initiative, by any clear positive action, any given expression of free will, although specific, informed and unambiguous, including by e-mail, text message, verbally by phone, during a visit to our address, when you enter information in an application form).

Collection method:

  • Directly through you
  • You have made them publicly available, on public media and social networks, mainly LinkedIn.
  • Via your healthcare provider, colleague, healthcare institution, insurance provider, hospital, clinic or surgical center that is in contact us.

Processing: Management of the application and the identification and authentication of doctors.

The data collected and processed:

  • Personal identifying data: first and last name; personal address; phone number.
  • Electronic identification data: email address, encrypted password and username; IP address.
  • Professional data: job title; workplace; your Riziv/INAMI number; job title; workplace; national register number.
  • Your identity card can be requested to verify your data.

Collection method:

  • Directly through you (if you request information about a possible collaboration, when you register to setup, from the first use of our platform, at your initiative, by any clear positive action, any given expression of free will, albeit specific, informed and unambiguous, including email, text message, verbal by phone, during a visit to our address, when you fill in information in an application form, at any event or training that we organize where you present your business card or personal data).

 

Processing: Research, statistics, and improving our application software.

The data collected and processed:

  • Personal identifying data: surname, first name, address, telephone number, order number, etc.
  • Electronic identification data: email address, encrypted password.
  • Personal feature: nationality, gender, languages spoken, country and town/city of birth
  • Health data; Data relating to health (which may include information about your procedure, condition, anatomy, diagnosis, recovery, and rehabilitation).
  • Activity data (Steps, sleep – including location data)
  • Encrypted data
  • Photographs
  • Any data, heath data required for our clinical trial or the research to improve our application.

Collection method:

  • From you if you have made such data publicly available or if you authorize such use when you register to setup, from the first use of our platform, at your initiative, by any clear positive action, any given expression of free will, albeit specific, informed and unambiguous, including email, text message, verbal by phone, during a visit to our address, when you fill in information in an application form, or at any event or training that we organize where you present your business card or personal data to the extent that such personal data is on such card or to the extent presented.

Processing: Management of our communication.

The data collected and processed:

Personal identifying data: surname, first name, telephone number, address.

  • Electronic identification data: email address.
  • Directly from you.
  • You have made them publicly available.
  • Via your healthcare provider, colleague, healthcare institution, insurance provider hospital, clinic, or surgical center that is in contact us.
  • Management of our pre-contractual relationships.
  • Personal identifying data: surname; first name; address; telephone number; order number.
  • Electronic identification data: IP address; email address.
  • Personal features: age; sex; date of birth; country; language; in your resume.
  • Professional data: diploma; career; in your resume.
  • Photographs.
  • ID copy.

Collection method:

  • Directly from you. I.e. if you have made them publicly available, or if you consent. Consent can be at your initiative, by any clear positive action, any given expression of free will, albeit specific, informed and unambiguous, including email, text message, verbal by phone, during a visit to our address, when you fill in information in an application form, at any event or training that we organize where you present your business card or personal data.

Processing: Management of our suppliers.

The data collected and processed:

  • Personal identifying data: first and last name; address; telephone number; order number.
  • Electronic identification data: IP address; email address.
  • Financial data: VAT, bank account number; open receivable.

Collection method:

  • Directly from you. You have made them publicly available or by consent.

Processing: Management of our litigation.

  • The data collected and processed:
  • Personal identifying data: last and first name; address; telephone number; order number.
  • Electronic identification data: IP address; email address.
  • Family data: marital status.
  • Personal feature: age; sex; date of birth; language.
  • Professional data: profession; diploma; career.
  • Health data from your medical file or collected through the MPO Magna app.
  • Any, sensitive or not, data necessary for the defense of our legal interests.

Collection method:

  • Directly from you. You have made them publicly available.
  • From your healthcare institution, hospital, health care provider.

 

4. Is your data disclosed or shared with third parties?

The data listed above is accessible to people who are members of our global team who need to have access to it, or to third parties that are intervening as collaborators, professional healthcare practitioners, lawyers, insurance providers, financial institutions, or technical advisors to the strict extent necessary to achieve one or more of the purposes set forth in this Policy.

We are also likely to transmit your data:

  1. at the request of a legal, judicial or administrative authority or auxiliary of justice; or
  2. in good faith, considering that this action is required to comply with any current law or regulation.
  3. in order to protect and defend our rights or those of other users of our services.

 

We may also be required to leave access to certain data to our co- contracting parties, qualified as "subcontractors" within the meaning of the legislation, to the extent strictly necessary for the achievement of our purposes, such as the operation of applications or computerized management systems.

In all circumstances, we ensure the protection of your data by agreements ensuring that the recipient is subject to confidentiality and use obligations that are no less restrictive than those of this Policy.

Type of service provider: processor – controller - Location
Customer service tool for your feedback and complaint handling. - In Europe
Software development company. - In Europe
Document management, productivity tools and emails. - In Europe and US
Providers of mailing solutions. - In Europe and US
Document management. - In Europe and US
Database infrastructure and service provider. - In Europe
Database management system. - In Europe
Providers of IT solutions and maintenance of the website. - In US
CRM. - In Europe
Social media. - In Europe and US
Cloud provider and database server. - In Europe and US
Lawyers and legal services providers. - In Europe and US
HR services and social security. - In US
Accountants and financial services providers: Invoicing and payment. - In US
Communication tools. - In Europe and US
Banks - In Europe and US

More information about the subcontractors is available via "mpomagna@ortho.microport.com

Finally, in the context of academic or scientific research, in the context of scientific or statistical surveys, we may transfer certain data as long as these data have been rendered anonymous or pseudonymized.

Access by health care providers to the data is on the basis of a therapeutic relationship that is activated when the account is created. The user can request and modify these therapeutic relationships at any time.

In all circumstances, we do not communicate personal data to third parties without your consent, except in the cases mentioned above.

 

5.Do we transfer your data outside the European Union?

We may make transfers outside the European Union. If applicable, data transfers to a country outside the Union will  be authorized if :

  • The European Commission has issued a decision granting an adequate level of protection equivalent to that provided for by European legislation, personal data will be transferred on this basis; or.
  • The transfer is covered by an adequate measure granting a level of protection equivalent to that provided for by European legislation, such as the Commission's Standard Clauses; and.
  • the receiver is obligated processes said personal data under terms and conditions that are no less restrictive than the terms and conditions of this Policy.

 

6.How long is your data kept?

Your personal data that we process will be kept for:

  • The time strictly necessary for the fulfilment of our legal and contractual obligations, as part of your registration/application.
  • The time strictly necessary to protect the vital interests of you or any other person pursuant to this Policy

Processing - Duration.

Management of our medical care customer. - Data storage is 7 years from the 1 January of the year following the end of the financial year, in accordance the legal retention period of accounting laws.

Management of Customer Data storage is 30 years from our last action in your files.

Management of the identification and authentication of doctors and other care providers. - There is no storage, your data are deleted at the end of our contractual relationship.

Research, statistics, and improving our application.Data storage is 20 years after completion of our study and research for clinical trial and indefinite if said data is anonymized or pseudonymized, or otherwise is confidential either individually or as a subset of an aggregate data collection.

Management of our communication. - Data storage is 2 years from your last contact with us.

Management of our suppliers.Data storage is 7 years from the 1 January of the year following the end of the financial year, in accordance the legal retention period of accounting laws.

Management of our litigation.In the event of a dispute the data storage is 10 year from the notification of the decision, in accordance the legal retention period of accounting laws.

 

7. How do we protect your privacy?

We strive to optimally protect your personal data against unauthorized use and leakages. To this end, we use physical, organizational, technological, administrative and appropriate measures such as, and not limited to:

  • We use recognized security and encryption processes that are recognized to ensure the security of the transmission and storage of your data to and from MPO Magna.
  • We have organizational measures in place, such as restricting access to our computer systems in accordance with the strict needs of each member of staff, with respect to his or her job;
  • As soon as we can, your data will be pseudonymized or anonymized (depending on the purpose).
  • We host your information on our servers which are protected by ad hoc security and certificates.
  • We have an internal privacy policy and we conduct regular basic training to maintain data privacy awareness.

 

8. What are your rights and how to exercise them?

We attach a great deal of importance to the rights we have as individuals. We are at your service and invite you to contact our contact person at the following e-mail address: mpomagna@ortho.microport.com  or by post to our postal address.

You can exercise the following rights:

  • Right of access, information and rectification.

You can request information at any time about our treatments, the objectives pursued, the categories of personal data that we hold about you, the categories of recipients of this data (third countries or international organizations), the retention periods or criteria for determining these periods, your other rights, other sources of your data and the existence of an automated decision-making process.

You may also ask for your data to be corrected or supplemented if it proves to be incorrect or incomplete. When exercising this right, you must specify the exact dates you wish to have corrected and completed. We will answer your question as soon as possible, but we are obliged to consider the rights and freedoms of others when providing this information.

  • Right to restrict processing.

You have the right to ask for the processing of your personal data to be restricted when:

  1. You dispute the accuracy of these data.
  2. You are in the waiting period necessary to evaluate the interests at stake before exercising the right to object to the processing of certain personal data.
  3. The processing of your personal data is unlawful, but you do not wish to exercise your right to deletion.
  4. We no longer need your personal data for the purposes set out in this data protection declaration, but you will need them in the context of legal action.
  • Right to object.

You can object to the processing of your personal data if your data is processed on the basis of our legitimate interests or on the basis of consent. To exercise this right, please send us an e-mail at the following address: mpomagna@ortho.microport.com . You can also click on "unsubscribe" which you will find in every e-mail you receive from us.

  • Right to data portability.

If your information is treated as part of our contractual obligations or following your consent, you have the right to have your personal information transferred in the form in which we hold it or to have it transferred to another person designated by you.

To exercise this right, you must indicate this on the form we make available on our website. You can also send us an e-mail at the following address: mpomagna@ortho.microport.com.

  • Right to erasure / right to be forgotten.

In the cases provided for by the General Data Protection Regulation (GDPR) or the law, we will proceed with the deletion of your personal data at your request. In principle, you can exercise your rights free of charge. You can also send us an e-mail at the following address: mpomagna@ortho.microport.com.

Around one month after receipt of your request, we will inform you in writing of the action we have taken at your request. Depending on the difficulty of your request or the number of requests we receive from other people, this period may be extended by two months. In this case, we will inform you of this extension within one month of receiving your request. In some cases (e.g., legal obligations, rights of others, limitation periods, ...), you may not be able to exercise your rights, in whole or in part. You will then be informed as to why we cannot fully comply with your request.

  • Right to individual decision making.

You have the right not to be subject to a decision based solely on automated processing. We combine automated processes with human intervention, with no fully automated individual decision-making for the time being. You can always ask questions about this via mpomagna@ortho.microport.com.

  • Questions, comments, complaints, data leaks?

We remain at your disposal for any questions, comments or complaints regarding the protection of your personal data. If you notice a data leak or if you suspect a data leak, please report it to us immediately via mpomagna@ortho.microport.com .

In addition, in accordance with Article 37 of the GDPR, we have appointed a Data Protection Officer (DPO).

Finally, you also have the right to lodge a complaint with the Data Protection Authority (DPA)

You can also lodge a complaint in the first instance court.

For each demand, we will try to respond as soon as possible and at least around one month of your demand. Depending on the difficulty of your request or the number of requests we receive, this period may be extended by two months. In such case, we will notify you of this extension within one month of receiving your request.

In all circumstances, when communicating this information, we are always obliged to take into account the rights and freedoms of other people.

 

9.Do we use cookies?

A cookie is a code in the form of a file stored on your computer. Cookies help us to improve our website, to facilitate your browsing and to analyze audiences. Learn more about our Cookie Policy. 

 

10. What is the applicable law and the competent jurisdictions?

This Policy is governed by Irish law. Any dispute relating to the interpretation or execution of this Policy will be subject to Irish law and will fall under the exclusive jurisdiction of the courts of the judicial district of the Republic of Ireland.

 

11. Be mindful to the update of this Policy!

This Policy can be updated at any time without notice of modification. We advise you and invite you to consult it regularly.

Last update on September 9, 2024.